From owner-freebsd-security Wed Feb 5 12:46:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA10632 for security-outgoing; Wed, 5 Feb 1997 12:46:08 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA10627; Wed, 5 Feb 1997 12:46:01 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA29838; Wed, 5 Feb 1997 14:45:58 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA13118; Wed, 5 Feb 1997 14:45:57 -0600 (CST) From: Karl Denninger Message-Id: <199702052045.OAA13118@Jupiter.Mcs.Net> Subject: PATCH VERIFIED AGAINST CRONTAB AND AT FOR -CURRENT BRANCH To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Wed, 5 Feb 1997 14:45:57 -0600 (CST) Cc: tqbf@enteract.com, karl@Mcs.Net, freebsd-security@freebsd.org, current@freebsd.org In-Reply-To: <199702052021.VAA17555@gvr.win.tue.nl> from "Guido van Rooij" at Feb 5, 97 09:21:39 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > An advisory for this problem needs to be released immediately. The FreeBSD > > project needs to come to grips with the fact that there are many, many > > people who won't act on a problem until CERT releases an advisory. Until > > that happens, people will remain vulnerable to the problem, regardless of > > how much effort goes into finding "the right fix". > > I only want to make an advisory when we can adise something. At this time > there is still uncertainty about what to do. I think the following > should do the trick: > > 1) patch for crt0.c including something where the env. variable will e > ignored for SUID/SGID programs. This should solve the case where > ppl. want to rebuilt everything > 2) For a binary only fix: > a) new shared libc's for every release since 2.0 > b) the lfix program that patches out the call to startup_setlocale > in the binary; this for every release and including > checks for immutable and append only flags. And of > course a README that wll not leave any doubt on the > exact actions to take. > > That should do the trick. Please correct me if I forgot anything. > > -Guido Ok. My preliminary testing is complete. The patch that I made to setlocale() absolutely does close the hole for "crontab" and "at" in the -CURRENT branch. The exploit Tom provided to me no longer produces a core fault (which indicates that the stack frame got clobbered, and that minor adjustments to it would produce a root shell prompt instead). As such, I expect that the rest of the problem is *ALSO* fixed with the patch that I posted to the security and current lists. Critique away. If there isn't a DAMN GOOD reason not to commit that fix, I believe it should go in. Like now. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal